Reports are marked with a severity rating to show how severe the vulnerability is in the report submission form. The severity rating can be seen on reports, Hacktivity, and in the Inbox. On HackerOne, severity is particularly useful for structuring bounty ranges and is used when offering bounty recommendations.
The severity level can be marked as:
Hackers can either use manual severity selection and select one of these severity levels based on their judgment of the vulnerability or use a CVSS calculator to give more information about the vulnerability and calculate an exact CVSS score.
The Common Vulnerability Scoring System (CVSS) is an industry-standard calculator used to determine the severity of a vulnerability. The standard enables a common language around the severity of vulnerabilities. HackerOne offers a custom implementation of CVSS 3.0 as well as a standard implementation of CVSS 3.1.
If your program has a unique severity approach, describe it on your Security Page and let hackers manually select severity.
Assigning severities can be made compulsory by configuring this in the submission requirements.